Thunderbird 128 is asking for EWS permissions when using Office365 accounts (but we are not granting EWS permissions anymore for security reasons)
Categories
(Thunderbird :: Account Manager, defect)
Tracking
(thunderbird_esr115 unaffected, thunderbird_esr128 fixed, thunderbird129 affected, thunderbird131 fixed)
| Tracking | Status | |
|---|---|---|
| thunderbird_esr115 | --- | unaffected |
| thunderbird_esr128 | --- | fixed |
| thunderbird129 | --- | affected |
| thunderbird131 | --- | fixed |
People
(Reporter: franck.iaropoli, Assigned: mkmelin)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: regression)
Attachments
(2 files)
|
79.67 KB,
image/png
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
corey
:
approval-comm-beta+
corey
:
approval-comm-esr128+
|
Details | Review |
image (6).png
Steps to reproduce:
Install Thunderbird 128 release (Mac and Linux)
Actual results:
Thunderbird 128 is asking to access mailboxes as the singed-in user via Exchange Web Services.
We are not granted EWS permissions anymore for security reasons.
Expected results:
EWS permissions are not asked when doing authentication to your email account with Office365
|
Assignee | |
Comment 1•4 months ago
|
||
Probably need to make EWS optional for the scope. Or somehow configurable.
https://searchfox.org/comm-central/rev/ddfc692f706f43a89365ebfebfeddced79fb1c89/mailnews/base/src/OAuth2Providers.sys.mjs#21
Would have to check if it can simply be dropped for 128 until we figure that out.
|
|
Assignee | |
Updated•4 months ago
|
|
|
Assignee | |
Updated•4 months ago
|
|
|
Assignee | |
Updated•4 months ago
|
|
Reporter | |
Updated•4 months ago
|
|
||
Comment 2•4 months ago
•
|
||
It could be simply that your adminstrator is particularly draconic and wants to approve every single app individually (which is extremely unhealthy for the software ecosystem, because it favors monopolists). And because Thunderbird changed scopes, it needs to be re-approved. Your screenshot suggests that.
We are not granted EWS permissions anymore for security reasons
When you say "we", I assume you mean your company's employees. Did your administrator specifically disable this feature, for your domain?
Does he allow IMAP and SMTP? If so, what is his rationale? EWS allows OAuth2 just as IMAP does, and EWS is based on https (SSL), so don't see a good reason why EWS would be disabled. Could you please share what your admin said about it, and his rationale?
I know that many admins and domains disable login via EWS, IMAP, or other specific protocols. But I have never heard that the OAuth2 scope for EWS is specifically forbidden.
|
||
Comment 3•4 months ago
|
||
Hello,
Granting the EWS.AccessAsUser.All permission allows the client to do more than send/receive email (i.e. it's not a very granular permission). Thus I believe this (reasonably) makes IT security folks nervous - especially if it's not being used.
Would it be possible to only request this scope if needed? I.e. if the user explicitly asks for EWS?
In future, isn't EWS being retired from Microsoft 365 anyway? So EWS would become more of an on-prem Exchange option?
In the short term, is there any way an end-user/admin can override the scope? The only thing I could see was to repack omni.ja but that wouldn't work with security updates.
Cheers,
Steve
|
|
Assignee | |
Comment 5•2 months ago
|
||
|
||
Updated•2 months ago
|
|
|
Assignee | |
Updated•2 months ago
|
Pushed by benc@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/d6c5a6c3a0de
Don't request EWS permissions for non EWS accounts as EWS permissions may not be granted for security reasons. r=babolivier
|
|
Assignee | |
Comment 7•2 months ago
|
||
Comment on attachment 9422319 [details]
Bug 1908866 - Don't request EWS permissions for non EWS accounts as EWS permissions may not be granted for security reasons. r=babolivier
[Approval Request Comment]e
User impact if declined: may not be able to log in (to o365 account)
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): always some unknown unknowns with oauth, but overall not very risky since we would not ask the same permissions that we use to in 115
|
||
Comment 8•2 months ago
|
||
Comment on attachment 9422319 [details]
Bug 1908866 - Don't request EWS permissions for non EWS accounts as EWS permissions may not be granted for security reasons. r=babolivier
[Triage Comment]
Approved for beta
|
||
Comment 9•2 months ago
|
||
| bugherder uplift | ||
Thunderbird 131.0b3:
https://hg.mozilla.org/releases/comm-beta/rev/b0729d042999
|
|
||
Comment 10•2 months ago
|
||
Comment on attachment 9422319 [details]
Bug 1908866 - Don't request EWS permissions for non EWS accounts as EWS permissions may not be granted for security reasons. r=babolivier
[Triage Comment]
Approved for esr128
|
|
||
Comment 11•2 months ago
|
||
| bugherder uplift | ||
Thunderbird 128.2.2esr:
https://hg.mozilla.org/releases/comm-esr128/rev/b48e3e413a67
Description
•